search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.03k stars 974 forks source link

refint module loaded yet non-functional? #306

Open kawaii opened 5 years ago

kawaii commented 5 years ago

I've checked to see which modules I have loaded;

root@df9e28082ada:/# cat /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif 
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 9dd17591
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}memberof
olcModuleLoad: {2}refint

As you can see, olcModuleLoad: {2}refint clearly shows that the refint module is loaded (and so is memberof). However when creating a new group (using RFC2307Bis) at the same time as adding multiple member attributes everything works perfectly and my users have the memberOf attribute when requested. If I add members to an existing group however it seems that refint isn't automatically updating the database with the new memberOf values.

Same symptoms as found in the links below;

https://serverfault.com/questions/850435/memberof-not-working-with-ldapmodify https://serverfault.com/questions/537122/openldap-memberof-attribute-is-not-updated-after-group-update https://serverfault.com/questions/73213/how-do-i-configure-reverse-group-membership-maintenance-on-an-openldap-server

kawaii commented 5 years ago

Here's an example group:

version: 1

dn: cn=access-service-test,ou=groups,dc=example
objectClass: posixGroup
objectClass: top
objectClass: groupOfNames
cn: access-service-test
gidNumber: 600
member: uid=test.user,ou=people,dc=example
member: uid=another.user,ou=people,dc=example

In this case, test.user was added to the OU at the time of creation, another.user was added after the creation of the OU. Here are the results of using ldapsearch:

root@df9e28082ada:/tmp# ldapsearch -x -LLL -H ldap:/// -W -D cn=admin,dc=example -b ou=people,dc=example dn memberof
Enter LDAP Password: 
dn: ou=people,dc=example

dn: uid=test.user,ou=people,dc=example
memberOf: cn=access-service-test,ou=groups,dc=example

dn: uid=another.user,ou=people,dc=example
kawaii commented 5 years ago

Update: Changing the objectClass to groupOfUniqueNames instead of just groupOfNames, and using the uniqueMember attribute instead of just the member attribute seems to update the database correctly, so why doesn't this happen with normal groupOfNames with members?

quanah commented 5 years ago

loading a module doesn't mean it's being used. You also have to instantiate it on the database as well. You don't show that you took that step.